[gnutls-devel] gnutls 3.2.5
Tomas Hoger
thoger at redhat.com
Thu Oct 24 10:58:21 CEST 2013
On Thu, 24 Oct 2013 09:57:47 +0200 Nikos Mavrogiannopoulos wrote:
> On 10/24/2013 09:27 AM, Tomas Hoger wrote:
>
> >> ** libdane: Fixed a buffer overflow in dane_query_tlsa(). This
> >> could be triggered by a DNS server supplying more than 4 DANE
> >> records. Report and fix by Christian Grothoff.
> >
> > This sounds like a security fix rather than just a regular bug fix,
> > but 3.2.5 and 3.1.15 releases were not announced as security
> > updates. As I can't say I'm familiar with DANE, I wonder if I may
> > be missing some good reason why this isn't or should not be
> > considered a security fix.
>
> It is a security fix. There is no different process for them though.
> I should assign a GNUTLS-SA though.
Ok, thank you for quick confirmation. I understand there's no
different process to produce such updates, tagging them as security can
help downstreams spot such must have fixes.
--
Tomas Hoger / Red Hat Security Response Team
More information about the Gnutls-devel
mailing list